blackshades | d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe
Size

520KB
MD5

5e8a18a5d200ba39139ce321fd461142
SHA1

22aab52ba2cfaca96dd9a090f7d928ff117fb22e
SHA256

d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef
SHA512

a51cb26643241e24a3b7be660d5201c8ef25cf890a8fadbcba404b714cab59fedb9dba5f4131c9122239f8ee44c938ec41974163883cbcce0a92380275d536b6
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXj:zW6ncoyqOp6IsTl/mXj

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 10 IoCs

resource	yara_rule
behavioral1/memory/1648-644-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1648-649-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1648-651-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1648-653-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1648-654-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1648-656-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1648-657-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1648-660-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1648-661-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1648-662-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYDFVRSA\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 25 IoCs

pid	Process
2348	service.exe
2940	service.exe
1348	service.exe
1544	service.exe
2320	service.exe
3024	service.exe
1724	service.exe
1004	service.exe
2688	service.exe
2608	service.exe
2112	service.exe
2832	service.exe
2316	service.exe
1736	service.exe
1508	service.exe
3064	service.exe
1436	service.exe
2804	service.exe
2580	service.exe
2380	service.exe
2940	service.exe
1624	service.exe
836	service.exe
1312	service.exe
1648	service.exe

Loads dropped DLL 49 IoCs

pid	Process
2672	d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe
2672	d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe
2348	service.exe
2348	service.exe
2940	service.exe
2940	service.exe
1348	service.exe
1348	service.exe
1544	service.exe
1544	service.exe
2320	service.exe
2320	service.exe
3024	service.exe
3024	service.exe
1724	service.exe
1724	service.exe
1004	service.exe
1004	service.exe
2688	service.exe
2688	service.exe
2608	service.exe
2608	service.exe
2112	service.exe
2112	service.exe
2832	service.exe
2832	service.exe
2316	service.exe
2316	service.exe
1736	service.exe
1736	service.exe
1508	service.exe
1508	service.exe
3064	service.exe
3064	service.exe
1436	service.exe
1436	service.exe
2804	service.exe
2804	service.exe
2580	service.exe
2580	service.exe
2380	service.exe
2380	service.exe
2940	service.exe
2940	service.exe
1624	service.exe
1624	service.exe
836	service.exe
836	service.exe
1312	service.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDUMIDTMNXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOEPIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\LUQLUGVAFVWTCNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWMXQORCHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MABWSNAWIXCHXXV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQLYOYSQTEJOBNV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCPFTPNSERUPILM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPTGKGDUSIIKFCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NPFXWEYOEJBSJHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\PCGCAQWOFEGCIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBSKGBVLMJREKP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSSQYKR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVWKWHGKYBLRYKA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTSUPNUQFTBJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSOJSETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPQLKMCPXGRWGTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRJFATXJKHQCINB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\UFDHCKVAXSQTIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWIP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SGHCBDYTGNINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRAUYWKOUABHET\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAUQLVGVBFVWTCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQORCHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYXJSJTPKTEUETU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYJAKDXCEURR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HRNIYRDSCRSQYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LGVTJTNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNJHOJMUDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSUPNPFTBJAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWNNLTFMQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUTXKAOKIYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDBISINFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQWNVJUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\RPUHLGEVTJJLGCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOFKCTKIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VVIKFDGVJQLPAMY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OGYPMGWQBRAQROX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMYCHVUG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCNKJNAEAOUMDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ONHRYIFPJKTWXJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYDFVRSA\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2368	reg.exe
1652	reg.exe
1716	reg.exe
276	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1648	service.exe
Token: SeCreateTokenPrivilege	1648	service.exe
Token: SeAssignPrimaryTokenPrivilege	1648	service.exe
Token: SeLockMemoryPrivilege	1648	service.exe
Token: SeIncreaseQuotaPrivilege	1648	service.exe
Token: SeMachineAccountPrivilege	1648	service.exe
Token: SeTcbPrivilege	1648	service.exe
Token: SeSecurityPrivilege	1648	service.exe
Token: SeTakeOwnershipPrivilege	1648	service.exe
Token: SeLoadDriverPrivilege	1648	service.exe
Token: SeSystemProfilePrivilege	1648	service.exe
Token: SeSystemtimePrivilege	1648	service.exe
Token: SeProfSingleProcessPrivilege	1648	service.exe
Token: SeIncBasePriorityPrivilege	1648	service.exe
Token: SeCreatePagefilePrivilege	1648	service.exe
Token: SeCreatePermanentPrivilege	1648	service.exe
Token: SeBackupPrivilege	1648	service.exe
Token: SeRestorePrivilege	1648	service.exe
Token: SeShutdownPrivilege	1648	service.exe
Token: SeDebugPrivilege	1648	service.exe
Token: SeAuditPrivilege	1648	service.exe
Token: SeSystemEnvironmentPrivilege	1648	service.exe
Token: SeChangeNotifyPrivilege	1648	service.exe
Token: SeRemoteShutdownPrivilege	1648	service.exe
Token: SeUndockPrivilege	1648	service.exe
Token: SeSyncAgentPrivilege	1648	service.exe
Token: SeEnableDelegationPrivilege	1648	service.exe
Token: SeManageVolumePrivilege	1648	service.exe
Token: SeImpersonatePrivilege	1648	service.exe
Token: SeCreateGlobalPrivilege	1648	service.exe
Token: 31	1648	service.exe
Token: 32	1648	service.exe
Token: 33	1648	service.exe
Token: 34	1648	service.exe
Token: 35	1648	service.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
2672	d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe
2348	service.exe
2940	service.exe
1348	service.exe
1544	service.exe
2320	service.exe
3024	service.exe
1724	service.exe
1004	service.exe
2688	service.exe
2608	service.exe
2112	service.exe
2832	service.exe
2316	service.exe
1736	service.exe
1508	service.exe
3064	service.exe
1436	service.exe
2804	service.exe
2580	service.exe
2380	service.exe
2940	service.exe
1624	service.exe
836	service.exe
1312	service.exe
1648	service.exe
1648	service.exe
1648	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2788	2672	d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe	30
PID 2672 wrote to memory of 2788	2672	d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe	30
PID 2672 wrote to memory of 2788	2672	d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe	30
PID 2672 wrote to memory of 2788	2672	d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe	30
PID 2788 wrote to memory of 1352	2788	cmd.exe	32
PID 2788 wrote to memory of 1352	2788	cmd.exe	32
PID 2788 wrote to memory of 1352	2788	cmd.exe	32
PID 2788 wrote to memory of 1352	2788	cmd.exe	32
PID 2672 wrote to memory of 2348	2672	d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe	33
PID 2672 wrote to memory of 2348	2672	d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe	33
PID 2672 wrote to memory of 2348	2672	d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe	33
PID 2672 wrote to memory of 2348	2672	d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe	33
PID 2348 wrote to memory of 2140	2348	service.exe	34
PID 2348 wrote to memory of 2140	2348	service.exe	34
PID 2348 wrote to memory of 2140	2348	service.exe	34
PID 2348 wrote to memory of 2140	2348	service.exe	34
PID 2140 wrote to memory of 3056	2140	cmd.exe	36
PID 2140 wrote to memory of 3056	2140	cmd.exe	36
PID 2140 wrote to memory of 3056	2140	cmd.exe	36
PID 2140 wrote to memory of 3056	2140	cmd.exe	36
PID 2348 wrote to memory of 2940	2348	service.exe	37
PID 2348 wrote to memory of 2940	2348	service.exe	37
PID 2348 wrote to memory of 2940	2348	service.exe	37
PID 2348 wrote to memory of 2940	2348	service.exe	37
PID 2940 wrote to memory of 1484	2940	service.exe	38
PID 2940 wrote to memory of 1484	2940	service.exe	38
PID 2940 wrote to memory of 1484	2940	service.exe	38
PID 2940 wrote to memory of 1484	2940	service.exe	38
PID 1484 wrote to memory of 444	1484	cmd.exe	40
PID 1484 wrote to memory of 444	1484	cmd.exe	40
PID 1484 wrote to memory of 444	1484	cmd.exe	40
PID 1484 wrote to memory of 444	1484	cmd.exe	40
PID 2940 wrote to memory of 1348	2940	service.exe	41
PID 2940 wrote to memory of 1348	2940	service.exe	41
PID 2940 wrote to memory of 1348	2940	service.exe	41
PID 2940 wrote to memory of 1348	2940	service.exe	41
PID 1348 wrote to memory of 808	1348	service.exe	42
PID 1348 wrote to memory of 808	1348	service.exe	42
PID 1348 wrote to memory of 808	1348	service.exe	42
PID 1348 wrote to memory of 808	1348	service.exe	42
PID 808 wrote to memory of 2916	808	cmd.exe	44
PID 808 wrote to memory of 2916	808	cmd.exe	44
PID 808 wrote to memory of 2916	808	cmd.exe	44
PID 808 wrote to memory of 2916	808	cmd.exe	44
PID 1348 wrote to memory of 1544	1348	service.exe	45
PID 1348 wrote to memory of 1544	1348	service.exe	45
PID 1348 wrote to memory of 1544	1348	service.exe	45
PID 1348 wrote to memory of 1544	1348	service.exe	45
PID 1544 wrote to memory of 1780	1544	service.exe	46
PID 1544 wrote to memory of 1780	1544	service.exe	46
PID 1544 wrote to memory of 1780	1544	service.exe	46
PID 1544 wrote to memory of 1780	1544	service.exe	46
PID 1780 wrote to memory of 1920	1780	cmd.exe	48
PID 1780 wrote to memory of 1920	1780	cmd.exe	48
PID 1780 wrote to memory of 1920	1780	cmd.exe	48
PID 1780 wrote to memory of 1920	1780	cmd.exe	48
PID 1544 wrote to memory of 2320	1544	service.exe	49
PID 1544 wrote to memory of 2320	1544	service.exe	49
PID 1544 wrote to memory of 2320	1544	service.exe	49
PID 1544 wrote to memory of 2320	1544	service.exe	49
PID 2320 wrote to memory of 916	2320	service.exe	50
PID 2320 wrote to memory of 916	2320	service.exe	50
PID 2320 wrote to memory of 916	2320	service.exe	50
PID 2320 wrote to memory of 916	2320	service.exe	50

C:\Users\Admin\AppData\Local\Temp\d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe
"C:\Users\Admin\AppData\Local\Temp\d2ec06ce203c1e16ba7b510f86c5c2bb93130587de69c5a3d576d9c7ca92d4ef.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPUHLGEVTJJLGCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1352
- C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe
  "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempTFMQC.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDUMIDTMNXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3056
- - C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe
    "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempYKIMH.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LUQLUGVAFVWTCNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:444
  - - C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe
      "C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEPWMK.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:808
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABWSNAWIXCHXXV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVRECQ.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCPFTPNSERUPILM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1920
      - C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGDUSIIKFCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXIGKF.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJSETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVIKFDGVJQLPAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSRDLD.bat" "
        10⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PCGCAQWOFEGCIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUROSN.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OGYPMGWQBRAQROX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNPFTBJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNNLTFMQ\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNNLTFMQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNNLTFMQ\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDHYUV.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPQLKMCPXGRWGTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHUCQ.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNKJNAEAOUMDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "
        16⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACESN.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVWKWHGKYBLRYKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUQFTBJ\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUQFTBJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUQFTBJ\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMDYBN.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UFDHCKVAXSQTIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQUPXL.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCBDYTGNINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUKIMH.bat" "
        20⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAUQLVGVBFVWTCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRAMSX.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYXJSJTPKTEUETU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCGHQM.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUTXKAOKIYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDBISINFWNBMC\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\RUJDBISINFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDBISINFWNBMC\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
        23⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRDSCRSQYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHQCIN.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHRYIFPJKTWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe:*:Enabled:Windows Messanger" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACESN.bat

Filesize
163B

MD5
915411ea3b638ddf1d828bd4c04944f8

SHA1
26b7805b6a57738bd36639977bfac05bea89e5b2

SHA256
088c11b99afda07e23db8406da7cd07afb70c60b0eed370e0ac7475740003e11

SHA512
e93a22941dad3c13ca1d872b0cb35f793449664ac75af15a4c4c7a1f982dd8254bbb5fdd9646c746e44e7ea4f49bc68b6aff7a2584a59250299ac318405562d2

Download Submit
C:\Users\Admin\AppData\Local\TempAHUCQ.bat

Filesize
163B

MD5
e9ea081c5a41b847f5f8222a51e7da8a

SHA1
3b129936a5a39f7565d3313c5cf901807bac8cc9

SHA256
83515ba7a54b2fb22dd4585258b0f0bbcf368c4db790c760e686993ac7d0171d

SHA512
ed3791219f776ce47c40ba9dc6d27a7fb7c3b4340bfb49e806aedaa42d35e65dff753f8d35e7124efb0fca5cb3a8de44978f2d34cfc1bf581acbd373202398d0

Download Submit
C:\Users\Admin\AppData\Local\TempCGHQM.bat

Filesize
163B

MD5
52b2da79d3bef2b8f019d3e99ef1abf4

SHA1
e2182453c9a965e7e37b3d8a60b09cf64fc94315

SHA256
2b1432e092b6e4fd397724ee9f1b262d366b09b02b680896987517e5b573fdb4

SHA512
84bcb743ccbcca0b6cfee4c39de3b6765aded3007ec441d7f733713f5cb5b65c777ef6228193d015bdde52d44542a921c75b4c00d89e5fd2187b931900b6760b

Download Submit
C:\Users\Admin\AppData\Local\TempDHYUV.bat

Filesize
163B

MD5
6caee54811290c0ba3ad2e07b1957507

SHA1
d17ad892eba53ec95a587751b70b718f9a9bd42c

SHA256
5b17da4a0e30b6ed93655ae29f8d466765d1de54fcdcdddeae272322c9cae0fd

SHA512
5404129996074ef92229cbd4e6f3fb8fa84bf7136147a893bfd1b187bb6c8975627ebba2304d9cfbebc4706919bae80b75b5e62bb420bb498840575cadf6aba8

Download Submit
C:\Users\Admin\AppData\Local\TempEPWMK.bat

Filesize
163B

MD5
82ea3acb38f2cddfe0ce0a4dd3625967

SHA1
e3641c25d35e256d5ec5a27a79a6621d80a71984

SHA256
2cf61e9f1e595b875e68fe8d259ac62d04905307547afc0ebaca0393ead904a1

SHA512
ddcd21f510d02586ad67c3cb21d1485d2340d933cc69e0ac37b2c587de5f646b663775aef3a41dae24ac47cda8eed18d74c8f7a92af158678030bf948c413daa

Download Submit
C:\Users\Admin\AppData\Local\TempHQCIN.bat

Filesize
163B

MD5
30493e711746214f4cb231794ca6fdbf

SHA1
74e967f2fad112527285b875fa3ef7ed36a7cbb8

SHA256
e9258c1d03c1bed14b50fd662bcbe19aa0df65d317db637d4bfa3639abdb33b7

SHA512
be0201966917c90349451755f576a3f28e2bc081c6f79519a4f7d44c9508ab57422e9fa871ab3c0c7bc65733faa54d72af1365c282978f4d4e8d213b6885f0da

Download Submit
C:\Users\Admin\AppData\Local\TempKWHGK.bat

Filesize
163B

MD5
3b1031cac9a0b596063dfaf94568c2b2

SHA1
23ee418a3dc22873f801d2a2bd090e22f87d119b

SHA256
137f3c3595124f1750bb46ea0cdb8716053eb4de5c94e0d09b5615d171af9d61

SHA512
71f887acb8e174fcf454959c5c6c26b818b4f0a0b0f8e83bdf29d4b2651234429321394ba8d4dc19b9a19e2d947e22a3b779caa638d862eb9ae6a7e9a89e25f9

Download Submit
C:\Users\Admin\AppData\Local\TempMDYBN.bat

Filesize
163B

MD5
56e62a5261bbb9ce37e157e5fceec40e

SHA1
4103106c6409939c1fd12cf35abe3ed28da06548

SHA256
448934e2951d7cc4e4444d9209fb88d131faf2c1755a0cce3e9577107e46b2fc

SHA512
860aef0aa30a9db4958069deb123e78e9893041b09bc260c0d833d28c5768cf1bbc39298448baff55a88fec9bf63e4a28b0f68b4d2d02e13c92a749cc49654ba

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.bat

Filesize
163B

MD5
357cbe590470b122d8dbbcfbe2980298

SHA1
2633699eef670397f2488efce9fd44fb4291d864

SHA256
40b616299d708573653d595d7509022e1cf83b85e1e66901584b1679d4608c9e

SHA512
815135f83f1fb7f4c50c3bebac779159739e5c0425f14984f8e6dd586730f0bfbfcc33df4e86a6da765186ad5da50cf20a3ce0606fb45471ee53225f9ef326f6

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.bat

Filesize
163B

MD5
351119e46f798c1415001c88658bfaca

SHA1
690217c27eff4dcd537c066043fcc631e8b2089b

SHA256
5de0e56c154157dcd309b2f2112f7449347d3be617e07f7153c9c45ea0ba86cf

SHA512
769d08eb6e49d2e9b7abe512dc6745b0c2daa06144cc879b97a364337b290147b1ede38903a55d003f9546f356f4ec880bc0146c572da400f73adf64dcd8eef9

Download Submit
C:\Users\Admin\AppData\Local\TempOPYUB.bat

Filesize
163B

MD5
cefdbdf3e03e35a03922a2739efb8950

SHA1
3a31bd0b4348e8e7674bf50c7914d4f20a2008d7

SHA256
dc8ff0c84c87ad432951831214861088639a8d0b992f8adb206caadda2fcfb69

SHA512
308278fb087d6df2de2e68bedea72fb061a38bb332e7bf3b13f934cf457a65b0e380c4acd79c8e2262dd2b45a5c6efc935abe3dd554c0fca0fcdb7f151b8cb90

Download Submit
C:\Users\Admin\AppData\Local\TempQUPXL.bat

Filesize
163B

MD5
77fb7b3b674bb437efff72e6f9af15d5

SHA1
e0996042797ef9aa3021581752684135473e1b9e

SHA256
c93e4840f6e06266123e0bfd7e059e5aa695953efdc870b0a63a5afe3a28c0e2

SHA512
54787de251dc7e90d9d6234fdb8edd3f21efa278d106c0b4a1cb11591363dfedbf81f65ee9f26ee6d63d24f0dcdf69b22b939b2dbb1bee30ebc6c616e3e132fb

Download Submit
C:\Users\Admin\AppData\Local\TempRAMSX.bat

Filesize
163B

MD5
f1422a66d3dcfed05784bee9041fdf21

SHA1
92e2de8c2d469da126c0b2e6663cc4a070a16f7f

SHA256
a73e0e14a89c34e9309422cbed1c5cf94cce53aff9141502c919a4de3f3e2810

SHA512
7c78d99711208e52723a0d5b9c1195f7fc3682357aca9bf926e499f0106eb4f0a5c967770688d53df57f1126f5864f2d0acf0d1d089adc9c7ddf166e683e1037

Download Submit
C:\Users\Admin\AppData\Local\TempSDWWL.bat

Filesize
163B

MD5
f041eccce7f551790b2c0f141c2371ba

SHA1
180afe3a0774c0ed883589e5976d5fbaf2c281e0

SHA256
a05bd12817a17601f3763fbbb889159320bbd652b56ef34bb1f6105193903d42

SHA512
dbd390f540aaf5124445511d977a49889dc010c9715bf89fea123840304de65da6c0da5804ea5312635bd35c6962110abcb0e19d2e5bc8a773cf8d0d6420acc8

Download Submit
C:\Users\Admin\AppData\Local\TempSRDLD.bat

Filesize
163B

MD5
a921318713b91a88ef64528b376160f4

SHA1
2cb193ffd712d12fc2d4c0df67be5ca67df6d058

SHA256
061a43ea06111ccd40e85fb2869909040c4b683abd4734f18f2597a617200b40

SHA512
971a80ea39293ee18b26b5e81452bcd4cb36a70daa01c8f7c73dc012e73bb37957e2f79dce6129f8017046e108b5e556b7769118bb25eeef938ef18ddcd5c710

Download Submit
C:\Users\Admin\AppData\Local\TempTFMQC.bat

Filesize
163B

MD5
cfdfb84e49dfe6847ba1e17c53f35159

SHA1
da77ba105a48ad835fca9989a6af15f572bf5417

SHA256
51357c19a2d9039d8dbf64b780ede97baf3eadce3cc700c89036572f402954ef

SHA512
2c99745c2285234c0aae43c336231b54b3e595be42de1f5673afebf6fb2d9169efa310a372db192d1e9c5db1d5b556e48d7384bff4594e8e86c6ab47858bbbea

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.bat

Filesize
163B

MD5
a3e636817c81440b8ec8f4a3fa40fe14

SHA1
7ce060d703b153db843dc9c98bd4d751fbe06292

SHA256
e9336459ff6c1d72c98003c12815003c4405a650da6ce3d5aac4ec3b2906c12e

SHA512
90256f066693580819968efbaa7c70955b49df02bede8faa27c6b9ac8de6231ed31d16f7456e69779e64dd4c52d2d4f0952db5132b2b335a6518e6cf57a97a4d

Download Submit
C:\Users\Admin\AppData\Local\TempUKIMH.bat

Filesize
163B

MD5
7a3cad131871fdb2f491cf0c768cf4c8

SHA1
8124fb5f3ce1024292b86153587ed9c8924a3232

SHA256
78aa267c83d3f6b7be3bf33c1bca09dedb2ef31e6c66de22f4d1b95bd77a26a0

SHA512
5c29b3b8dd4e2c04226cc1f9af682b6237a9d2c02935656ff4932ba6d118cf94f1736cc9bc9686d7b1e18a74b2d5f932323a5576cefa18e6617e704c1c100991

Download Submit
C:\Users\Admin\AppData\Local\TempUROSN.bat

Filesize
163B

MD5
225badbe317fcfc220d3b245f73e0f99

SHA1
6874ab9f8d4a484b3daddc3791ead69debd2ef2e

SHA256
85273369bfc8aeb927133ca7a7fa04ffd7ea3dda775b89bdd34641084089cd56

SHA512
83422c0a1fa109db4e7e1a2094a1171cc82781ba59e2ad3840cac00d5e2becb2d4002c322c4cee01522e6ab659d7a7228c52e5dcd822fe280997c4e67e6b6d61

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.bat

Filesize
163B

MD5
140205f1dbcd22563dedbd2f9ffd5951

SHA1
ffe54e186205b260d50eeb4a0449d8cf58d39436

SHA256
3f8f152677fb9d49d1f6ceb482e06b298924f219c5ba55657b2f3e99c89898d8

SHA512
b61d0caab116fc53dedd5b9c7b9462d6c4f608ddd807afc54aeef432ba510feb2d054a37e9a36309dafc4ae2fa2d5c7d67b1ce05a4b11212a2cd15812f0093e8

Download Submit
C:\Users\Admin\AppData\Local\TempVRECQ.bat

Filesize
163B

MD5
819157f138ea436a0a20e51d6c86a1ed

SHA1
298275c668d44eee423731a3bcd232f06238d123

SHA256
a09464ce1f2c00fdfe6597ae78d1ef3712d267354ad744e2bca65651f06467ad

SHA512
6d777f161407ffc382b722cfed7441d15c849a35dd40319e2d71525361cb5e77671743c208b6428fd801818c50458241627210569f27dda8c09bd516d5424136

Download Submit
C:\Users\Admin\AppData\Local\TempXIGKF.bat

Filesize
163B

MD5
5a6dcd900579cc4deed21c70484d98d9

SHA1
baa71148bac7fd3b5462851aaf3575b5d20dcfa6

SHA256
01f215143f045880fecb613b9dbccb74a4badf268cace67ce50063f54bee3140

SHA512
3d3b332d76e9041e688c62b3b5c71ceb6176121c89ae2ac133732071d977e75abfb547c2db790951a0bf7cc0ff07dd5002de786355391fde813792aac4faa39f

Download Submit
C:\Users\Admin\AppData\Local\TempYGOFD.bat

Filesize
163B

MD5
1c8a1be9bc3ebb31b2592214152bb854

SHA1
ad9dc2375b15466336615991e8f93396679cd5c7

SHA256
8276331203d869e2ccf20aa4070d1e22a3682ad54d69c4df288e5fb86522d8cb

SHA512
0b6179be6de759b1b4cd1597df2cc6df1de0223ef6b238cfbd33e6655e136fe8559094d8fea5dc783f79b33d91ea744ef491a6df1f420951c31626ad13dc7d81

Download Submit
C:\Users\Admin\AppData\Local\TempYKIMH.bat

Filesize
163B

MD5
c2893b20e5937daba90f7230d011dda0

SHA1
ee858c855fd8692ed85352f603c0cb2423daf4c4

SHA256
1c2d2c4a2a356dbb7a4f2653ab7313328cf8a4c2f529a58eec48d34b7071233f

SHA512
f5fe71fb77fd282e745fa6debe5ef663f701e6227279a3eeffeaee719368a70cc29ececfc62887ab8f39e93baba29faf23b99277a671468c7180d70f2ec5808d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe

Filesize
520KB

MD5
2048448c54052e7752bc149294b226f7

SHA1
6bac0c34285739ec69627d9ca5cb6585bb77671b

SHA256
29b53f3f75232dd79762d8519ba9945aedecad16197b3406aa39b696b196df66

SHA512
2d7c37b9347761cec549911ed93388287818a40224fe62caadfd3e52b72593351fe5b1a5a64cbb161a1f1ecf1105d3c8016fbc3341f2355921793862276d2f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe

Filesize
520KB

MD5
30d613cd20674204139ae6ceb1991adb

SHA1
4bd3562dd8e1cf15b5f6ae2469c3cfde67f4851f

SHA256
2501998a06c018accb478051af347a3c6629cb799e880594de03ae02709f352b

SHA512
ede8988f0b04e33eccdef73101f5daf8d1a301069653d07ac81fffc6a224b5e1b88df2957f4d3d8721d985a3ee72f48e3ca2d6eb60c987e4974ba3aa0ea5c504

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe

Filesize
520KB

MD5
b69045f72067578959f5bfc3367cb3a4

SHA1
f17c5ab7e6bce91a692c56ee1078ad7e64dce375

SHA256
550272108f59aab29587ee7b1f5ce2d1c3cdc9c44bdf007a1d4c1d881321aead

SHA512
e21be41715c7759dd7bba6e46fed4f43745f9ef4e6c8245ac4369281a466683159da220447e03a7c5dc127dc13a3fb97eb4882cea8921fd847c6263504307fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe

Filesize
520KB

MD5
b2268878003c6b7d2c27811184b664ed

SHA1
fd5342c9ab1e07198c6eda9c62cf2ad11e36398c

SHA256
90a204fe2a298c2d44230e7fd14c07fb31586d90260809660451e80e83c05681

SHA512
bbbcf3d41456b70a63d40bb062afe90879f7925ec19d3c14600a4daae872ccab8950c96b6719c1faa9b6b33dd211ccf815a426769fa27595b65c387ce698be5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe

Filesize
520KB

MD5
d4289a55f9058b67157cb63d2b8d2899

SHA1
55a732da71903a56a942699b8ef4efb1a7e679f5

SHA256
1a68aa2cab655d42b39b0ed498d3e78542e43e4f51faea1a4ef098c422f28f1f

SHA512
5eda3c38dca217e69e74e4048b5abf2a5691e3caf7d4c0c15cf740d0861356407ef764f030928025ee3610654ff53ffa52049d34bc22f0c6062390245bdb1549

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe

Filesize
520KB

MD5
956184471cb74b9552d426db896391e3

SHA1
51d865153e43d96bb03109b23b27c9ca45386044

SHA256
84e777ce5a21d7e0bc5a8fd74c5d531ec1fb1ee83a3a7b20185c5c31c7d9b65c

SHA512
bac209da08d695ac976ff5234516bf0b1a9fd1d0b1988cb572ca6f4ff12eaab1d0543926e575b24cff0f62ac435d63237cc17b4e52f907b9fe4e7e69b7c9ff58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe

Filesize
520KB

MD5
8d57090009e1361dd4b8c870b903c97b

SHA1
f0460afb5f96fd3facff4523db742408fe388500

SHA256
bd67a2f0d2ae9bb519b54b2a5cc8fabfd1afb7d77c03b48b4b6fea12787b505c

SHA512
3cb586566a93745c7ec176bfc33fa5bc646480ab9cdcdaa9005b28f0de0a7722bd00d811292171f3fa66a272fe219f87c1a754b39dce39157ff85547ac64c27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe

Filesize
520KB

MD5
403f1fb57e1a93f02aee5cf986f8f10c

SHA1
6356eb2aea5c5a9bf887a5cf4fe589b1d3d52a31

SHA256
7cef11ad24c4c7b244682917864c2183dd1a40b92e698b9846b3b9ebd25673e8

SHA512
1967f3047c3d9f9a5dbce72c630e393303cd5e284f1c2674bcaab9e99dd35a7627e320556b70928fcbed80828bc2c8648d3b26ea5ef672c48ae824f455943166

Download Submit
\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe

Filesize
520KB

MD5
e8394e5e16c2de6a65167789a14daac4

SHA1
8c646e500076a9a56f92e515465acddb8bf560e6

SHA256
21e760a8276b37bca2fe922e65fb10eb37c1d68b2687a3c9492e65865f84e043

SHA512
c26db6773d42398ff8b7c78edbc31b253c0956e679878a8d293fa6389d9262a8b75276526d44df8bdd047619deb9dbd64682561f6f6db807ab23531e1464d6cb

Download Submit
\Users\Admin\AppData\Local\Temp\DLCUMIDWNNLTFMQ\service.exe

Filesize
520KB

MD5
7a6c332dfc98eb38f49c17a5e27c2873

SHA1
2391d0d3d4e2ac7eabbb12fe190d09bf4fc96b51

SHA256
ea13535fe23f35daffb9701e6babf25a78fbb59f02eb0a664889c26f30fb1fd4

SHA512
a5ffc840064f2693a6f828aa47dc4de9ac236085357f6a9988cddee092830b6bd9fee0dee628b5634312fe865ea21d2a1a461fe90a87fe41da4c850f6f8f9b9b

Download Submit
\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe

Filesize
520KB

MD5
6c5677cc95119d83c8cecbbe9f76ea0e

SHA1
1190eebf7d1dbbd8cefe401e42fa07451634c386

SHA256
92b32193f98ae235849232efa10136893b2f0a17e6520506e80ce931447472f8

SHA512
e4b0c7c78609e55d15ed7cc04e389746c3ac684e6685a50d0700fd837707410e695fcefe99b76368fb47170af85829a61e3df1c4e739286a0f69f6f0698e41cc

Download Submit
\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe

Filesize
520KB

MD5
c810dce86510986b5e614f977e9ceca1

SHA1
8f9f8288782535fcbfe58b6ff1c7992c3a14a7c8

SHA256
0f8df47f7140e5ccdcd4f4870f85e941ca9ccb427cdecf8007db42a23f9035fd

SHA512
2bd015f5856428a8714d6566cb1ac27b350438195bd0e1cda7d714cf134a0a77b2968d05501db9b8687f8a2895d1db2c2a18eb4ce355f7e36b2b77395986bdcc

Download Submit
\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe

Filesize
520KB

MD5
85dce5ff26c92a7b515da8e00be1e60a

SHA1
7702f0903809477d353138246f6b864b8081499d

SHA256
006db533f90280d0369e227fec3f10885877f690e94d5666ae703d7460e250fa

SHA512
f35e5fa7570ad628d78f7db9212b75a368c4d2c76fc64bb56cc86cf2f78a51efc96fe5ad85d37f2a33c0f0c4cdba0cb582387421baa41c86b15a0bc5be036b0d

Download Submit
memory/1648-651-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1648-649-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1648-644-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1648-653-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1648-654-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1648-656-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1648-657-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1648-660-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1648-661-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1648-662-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads